Possible security flaws

Possible security flaws

am 04.05.2004 19:01:39 von Jan Eden

Hi all,

could you point out the possible security problems with the following desig=
n (planned)?

I have a database on my ISP's server which is accessible via a read-only an=
d a read/write account.

Now the CGI scripts I wrote to handle the database call the following subro=
utine from a module:

sub mysql_config {
my $mode =3D shift;
my ($server, $db, $username, $password);
if ($mode eq 'local') {
# local configuration
$server =3D 'localhost'; # The database server
$db =3D '************'; # The name of our database.
$username =3D '********' ;# the username=20
$password =3D '************' ;# the password
# editor configuration
} elsif ($mode eq 'editor') {
# pair.com configuration (write)
$server =3D '***********'; # The database server
$db =3D '*******'; # The name of our database
$username =3D '***********' ;# the username for reading/writing=20
$password =3D '*************' ;# the password
} else {
# read-only configuration
$server =3D '**********'; # The database server
$db =3D '******'; # The name of our database
$username =3D '************' ;# the username for reading=20
$password =3D '*********' ;# the password
}
return ($server, $db, $username, $password);
}

So if I call the script via the net in 'editor' mode, I have write access. =
But my editing script utilizes a user check like this:

sub user_check {
my ($user_id, $user_name_input, $user_password_input, $mode) =3D @_;
my ($server, $db, $username, $password) =3D mysql_config($mode);
my $dbh =3D DBI->connect("dbi:mysql:$db:$server", $username, $password,=
{ RaiseError =3D> 1 });
my $query =3D "SELECT user_name, user_password FROM users WHERE user_id=
=3D $user_id";
my $sth =3D $dbh->prepare($query);
$sth->execute();
my ($user_name, $user_password) =3D $sth->fetchrow_array;
$sth->finish();
return 1 if $user_name_input eq $user_name && $user_password_input eq $=
user_password;
return 0;
}

If no username/password are given (or if the wrong values are entered), the=
editing script generates an identification page, otherwise (if user_check =
returns 1), the editing form with the values of the page is printed out.

At which point is this setup vulnerable? So far, I only used local editing,=
and I still bear in mind that there's evil out there. ;-)

Thanks,

Jan
--=20
These are my principles and if you don't like them... well, I have others. =
- Groucho Marx

--
MySQL Perl Mailing List
For list archives: http://lists.mysql.com/perl
To unsubscribe: http://lists.mysql.com/perl?unsub=3Dgcdmp-msql-mysql-modules @m.gmane.org